Kuhring, Mathias
2024-Apr-15 08:02 UTC
[Samba] Status of LDAPS port 636 with Winbind idmap backend ad in 2024?
Dear Samba community, We run two Samba server in a CTDB cluster in a small group withing a bigger company. We use Winbind to authenicate and authorize against a company-wide active directory (using `security = ads` and `idmap config OURDOMAIN : backend = ad`, resp., among others). So, if I understand this correctly authentication is done via Kerberos and authorization via LDAP. Unfortunately (but understandably), our central IT department recently disable standard LDAP (port 389) in favour of LDAPS (port 636). Since then, I can only authentica user (e.g. `wbinfo -u` and `wbinfo -a someuser` work). But not further authorize them (e.g. `wbinfo -g`, `wbinfo --user-info someuser`, `wbinfo -S somesid` or `id someuser` fail or give no output). Consequently, users can not mount their samba shares anymore. And so far I have not been able to make Winbind working correctly again. According to several older discussions and documentation LDAPS with port 636 is not supported for the ad idmap backend, e.g.: https://lists.samba.org/archive/samba/2011-July/163473.html https://docs.citrix.com/de-de/linux-virtual-delivery-agent/current-release/configure/administration/others/ldaps.html#winbind https://community.spiceworks.com/t/sssd-and-winbind-to-use-ssl-port-636-as-ms-doing-away-with-389/748554/5 https://access.redhat.com/solutions/157603 Is this still the case? I can't seem to find recent documentation or discussions which state otherwise. (e.g. no mention of LDAPS/TSL/SSL in the AD config page: https://wiki.samba.org/index.php/Idmap_config_ad) I played around with parameters such as `ldap ssl = start tls` and `client ldap sasl wrapping = seal` (instead of deprecated `ldap ssl ads = yes`). But if I understand correctly, these parameters are limited to Start TLS on port 389. I deployed certificates correctly on the system (`/usr/bin/update-ca-trust`), as I can confirm independently from Sambe/Winbind with ldapsearch, e.g.: `ldapsearch -x -H ldaps://controller.domain.com:636 -D "someuser at ourdomain.com" -W -b "dc=ourdomain,dc=com" "(cn=*somename*)"` There are parameters to activate LDAPS on a Samba server which acts as an AD DC: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Then there should be also parameters for a Samba+Winbind server acting a client of this AD, no? As alternatives, I also tried ldap and rid idmap backend (configs below). But neither resulted in working authorization (i.e. were able to provide group memberships). I don't understand if the ldap backend is actually supposed to also work with an AD LDAP or just with a Samba-provided LDAP. And I would assume that rid is no proper replacement for ad anyway, since I wouldn't be able to re-produce the same GIDs as provided by the AD. I also tried different cache cleanings in between, without any change. So, are there any (new) parameters I'm missing here that make Winbind / idmap backend ad work with LDAPS (port 636) work. Are there any (other) workarounds which should work? Did I make obvious mistakes with my workaround? I'm also considering using SSSD instead of Winbind, but I think I remember reading that it is also not really supported/recommanded with Sambe). ADs disabling standard LDAP (port 389) in favour of LDAPS (port 636) seems to become more and more common. Hence, that there is so few information/documentation for Samba/Winbind about seems odd to me. Any help to make this working again is appreciated. Thank you very much in advance, Best Wishes, Mathias ldap backend config: ``` idmap config OURDOMAIN : backend = ldap idmap config OURDOMAIN : read only = yes idmap config OURDOMAIN : ldap_url = ldaps://controller.ourdomain.com:636 idmap config OURDOMAIN : ldap_user_dn = someuserdn idmap config OURDOMAIN : ldap_base_dn = somebasedn idmap config OURDOMAIN : range = 100000 - 199999 ldap ssl = off ``` Plus: ``` net idmap set secret ourdomain <secret> ```
Ralph Boehme
2024-Apr-15 19:14 UTC
[Samba] Status of LDAPS port 636 with Winbind idmap backend ad in 2024?
On 4/15/24 10:02, Kuhring, Mathias via samba wrote:> Is this still the case?thankfully implementing channel bindings has recently been funded by one of our customers, so LDAPis soon coming (back) to Samba. https://gitlab.com/samba-team/samba/-/merge_requests/3516 Iirc it will also be available to idmap_ad, but I'm not familiar with the details. metze? -slow -- SerNet Samba Team Lead Samba Support, Consulting and Development Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20240415/63fccaf3/OpenPGP_signature.sig>
Reasonably Related Threads
- Status of LDAPS port 636 with Winbind idmap backend ad in 2024?
- Status of LDAPS port 636 with Winbind idmap backend ad in 2024?
- Authenticate users through an AD trust
- Problem with User and Group Ownership listing
- LDAP users/groups not showing up with nis, pam, & ldap